Cyber Incident Victim: Uniswap
Date:
Apr 2020
Location:
China
Summary
Hackers executed a sophisticated reentrancy attack exploiting interactions between ERC-777 tokens and decentralized finance protocols, initially targeting Uniswap without financial loss before successfully stealing approximately $25 million from the Lendf.me lending platform. The attackers leveraged a known vulnerability to repeatedly drain funds through smart contract interactions, transferring stolen cryptocurrency to other accounts. Following negotiations facilitated by blockchain transactions after the perpetrators accidentally exposed an IP address, nearly all stolen assets were returned, with minor discrepancies attributed to market fluctuations. Both platforms temporarily suspended operations to mitigate further risks, while the underlying token issuer halted transactions to prevent additional exploits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 18-19, 2020, hackers executed two related attacks against decentralized finance (DeFi) platforms Uniswap and Lendf.me. The first attack targeted Uniswap, a cryptocurrency exchange, on Saturday but resulted in no financial losses. The following day, attackers successfully drained approximately $25 million in cryptocurrency from Lendf.me, a lending platform operated by the dForce Foundation. Investigations revealed both incidents involved a sophisticated reentrancy attack that exploited interactions between the platforms' smart contracts and the ERC-777 token standard used by imBTC tokens, which represented Bitcoin on the Ethereum blockchain at a 1:1 ratio. Attackers chained together vulnerabilities across multiple blockchain components to create withdrawal loops that bypassed transaction validation checks. The same exploit—originally documented by security firm OpenZeppelin in July 2019—was deployed in both attacks, with the Lendf.me breach extracting 99.5% of the platform's funds through repeated unauthorized withdrawals. Stolen assets were immediately transferred to secondary accounts to obscure tracing efforts.
Both platforms suspended operations following the attacks, with Lendf.me and Uniswap taking their websites offline to prevent further exploitation. Tokenlon, issuer of the imBTC token, halted all new transactions involving the asset and temporarily suspended its functionality across supported platforms. On April 21, 2020, attackers returned $23.8 million of the stolen funds to Lendf.me after negotiations conducted through blockchain transactions, a development attributed to the accidental exposure of the attacker's IP address during the breach. The remaining $1.2 million discrepancy was attributed to cryptocurrency price fluctuations during the two-day incident window. Forensic analysis confirmed the attacks leveraged identical methods across both platforms, though only Lendf.me suffered material losses. No additional platforms were compromised following the containment measures, which included permanent modifications to the affected protocols' smart contract interaction models to prevent similar reentrancy exploits.